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I present a variety of results on the theory of quantum 
secret sharing. I show that any mixed state quantum secret 
sharing scheme can be derived by discarding a share from 
a pure state scheme, and that the size of each share in a 
quantum secret sharing scheme must be at least as large as 
the size of the secret. I show that the only constraints on 
the existence of quantum secret sharing schemes with general 
access structures are monotonicity (if a set is authorized, so 
are larger sets) and the no-cloning theorem. I also discuss 
some aspects of sharing classical secrets using quantum states. 
In this situation, the size of each share can sometimes be half 
the size of the classical secret. 



I. INTRODUCTION 

In a classical secret sharing scheme, some sensitive clas- 
sical data is distributed among a number of people such 
that certain sufficiently large sets of people can access 
the data, but smaller sets can gain no information about 
the shared secret. For instance, a possible application is 
to share the key for a joint checking account shared by 
many people. No individual is able to withdraw money, 
but sufhciently large groups can use the account. 

One particularly symmetric variety of secret sharing 
scheme is called a threshold scheme. A (fc, n) classical 
threshold scheme has n shares, of which any k are suffi- 
cient to reconstruct the secret, while any set of fc — 1 
or fewer shares has no information about the secret. 
Blakcly [Q and Shamir [g showed that threshold schemes 
exist for all values of k and n with n > k. 

It is also possible to consider more general secret shar- 
ing schemes which have an asymmetry between the power 
of the different shares. For instance, one might consider 
a scheme with four shares A, B, C, and D. Any set 
containing A, B, and C or A and D can reconstruct 
the secret, but any other set of shares has no informa- 
tion. In this example, the presence of A is essential to 
reconstructing the secret, but not sufficient — A needs 
the help of either D or both B and C. This particular 
scheme can be constructed by taking a (5, 7) threshold 
scheme, and assigning 3 shares to A, 2 to D, and 1 to 
each of B and C, but other schemes exist which cannot 



be constructed by bundling together shares of a threshold 
scheme. The list of which sets are able to reconstruct the 
secret is called an access structure for the secret sharing 
scheme. It turns out that a secret sharing scheme exists 
for any access structure, provided it is monotone |3| — 
i.e., that if a set S can reconstruct the secret, so can all 
sets containing S. 

With the advent of quantum computation, it is possible 
that quantum information may someday be as common- 
place as classical information, and we may wish to protect 
it the same ways as we protect classical information. Us- 
ing quantum secret sharing [Q, we could perhaps create 
joint checking accounts containing quantum money [pj, 
or share hard-to-create ancilla states Q , or perform a se- 
cure distributed quantum computation. M showed some 
basic results about quantum secret sharing schemes, in- 
cluding the existence of quantum threshold schemes. A 
quantum ((fc,n)) threshold scheme (the use of double 
parentheses distinguishes it from a classical scheme) ex- 
ists provided the no-cloning theorem is satisfied — i.e., 
n/2 < k < n. In this paper, I will prove some further re- 
sults about quantum secret sharing schemes with general 
access structures, including the fact that the no-cloning 
theorem and monotonicity provide the only restriction 
on the existence of quantum secret sharing schemes. 

Another possible application of quantum states to se- 
cret sharing is to create secret sharing schemes sharing 
classical data using quantum states 0,^. This could 
allow, for instance, for more secure distribution of the 
shares of the scheme. I will show below that it can also 
produce more efficient schemes: in any purely classical 
scheme, the size of each important share must be at least 
as large as the size of the secret, whereas using quantum 
states to share a classical secret, we can sometimes make 
each share half the size of the secret. 

In the theory of classical secret sharing, one sometimes 
considers schemes which do not completely hide the se- 
cret from unauthorized groups of people, or from which 
the secret cannot be perfectly reconstructed even by au- 
thorized sets. I will not consider the quantum general- 
izations of such schemes. I will only consider the theory 
of perfect secret sharing schemes, in which the data is 
either completely revealed or completely hidden, with no 
middle ground. 
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II. QUANTUM SECRET SHARING 

I will begin by reviewing some results from B which 
will form the basis of much of the later discussion. In a 
perfect quantum secret sharing scheme, any set of shares 
is either an authorized set, in which case someone hold- 
ing all of those shares can exactly reconstruct the origi- 
nal secret, or an unauthorized set, in which case someone 
holding just those shares can acquire no information at 
all about the secret quantum state (that is, the density 
matrix of an unauthorized set is the same for all encoded 
states). For a generic state split up into a number of 
shares, most sets will be neither authorized nor unautho- 
rized — quantum secret sharing schemes form a special 
set of states. 

One constraint on quantum secret sharing schemes is 
an obvious one inherited from classical schemes. Any 
secret sharing scheme must be monotonic. That is, if we 
increase the size of a set, it cannot switch from authorized 
to unauthorized (the indicator function which is for 
unauthorized sets and 1 for authorized sets is monotonic). 

As we shall see in section Q], the only other con- 
straint on quantum secret sharing schemes is the no- 
cloning theorem [§,Q. We cannot make two copies of 
an unknown quantum state. Therefore, we cannot dis- 
tribute the shares of quantum secret sharing scheme into 
two disjoint authorized sets (each of which could produce 
a copy of the original state). Since every set is either au- 
thorized or unauthorized, this implies the complement of 
an authorized set is always an unauthorized set. 

A pure state quantum secret sharing scheme encodes 
pure state secrets as pure states (when all of the shares 
are available). A mixed state quantum secret sharing 
scheme may encode some or all pure states of the secret 
as mixed states. Pure state schemes have some special 
properties, as a consequence of the following theorem, 
but the general quantum secret sharing scheme is a mixed 
state scheme. 

Theorem |l| and Corollary g first appeared in Q . 

Theorem 1 Let C be a subspace of a Hilbert space Ti 
which can be written as tensor product of the Hilbert 
spaces of various coordinates. Then C corrects erasure 
error^ on a set K of coordinates iff 



\E\4>) = c{E) 



(1) 



(independent o/ |(/)) G C) for all operators E acting on K . 
A pure state encoding of a quantum secret is a quantum 



^An erasure error is a general error on a known coordinate. 
For instance, it replaces the coordinate with a state [e) or- 
thogonal to the regular Hilbert space. Recall that a quantum 
error-correcting code of distance d can correct d — 1 erasure 
errors or [(d — 1)/2J general errors. 



secret sharing scheme iff the encoded space corrects era- 
sure errors on unauthorized sets and it corrects erasure 
errors on the complements of authorized sets. 



Proof: The first equivalence follows from the theory of 
quantum error-correcting codes. To recover the original 
secret on an authorized set, we must be able to compen- 
sate for the absence of the remaining shares, which is to 
say from an erasure error on the complement of the au- 
thorized set. The condition (|I|) implies that measuring 
any Hermitian operator on the coordinates K gives us no 
information about which state in C we have. This means 
the density matrix on K does not depend on the state, 
which is precisely the condition we need an unauthorized 
set to satisfy. □ 

As a corollary, we find that pure state schemes are only 
possible for a highly restricted class of access structures. 

Corollary 2 In a pure state quantum secret sharing 
scheme, the authorized sets are precisely the complements 
of the unauthorized sets. 

Proof: By the no-cloning theorem, the complement of 
an authorized set is always an unauthorized set. By the- 
orem |l|, for a pure state scheme, we can correct erasure 
errors on any unauthorized set. This means we can re- 
construct the secret in the absence of those shares; that 
is, the complement is an authorized set. □ 

Suppose we start with an arbitrary quantum access 
structure (a set of authorized sets) and add new autho- 
rized sets, filling out the result to be monotonic. For 
instance, if we started with the access structure ABC or 
AD from the introduction (any set containing A, B, and 
C is authorized, as is any set containing both A and D), 
we could add the set BD (so any set containing B and D 
is also now authorized). We wish to continue to satisfy 
the no-cloning theorem as well, so we never add a new 
authorized set contained in the complement of an exist- 
ing authorized set. This ensures that the complement of 
every authorized set remains an unauthorized set. For 
instance, in the example, we could not have added BC 
as an authorized set, since its complement AD is already 
authorized. 

Initially, there may be unauthorized sets whose com- 
plements are also unauthorized, but if we continue adding 
authorized sets, we will eventually reach a point where 
the authorized and unauthorized sets are always com- 
plements of each other, as is required for a pure state 
scheme. In the example, we could add CD as an autho- 
rized set. Now, the authorized sets are all sets containing 
ABC, AD, BD, or CD. At this point, we wiU have to 
stop adding authorized sets — any more would violate 
the no-cloning theorem. Thus, an access structure where 
the authorized and unauthorized sets are complements of 
each other is a maximal quantum access structure. 



Pure state schemes and maximal access structures may 
seem like a very special situation, but in fact they play 
a central role in the theory of quantum secret sharing 
because of the following theorem: 

Theorem 3 Every mixed state quantum secret sharing 
scheme can be described as a pure state quantum secret 
sharing scheme with one share discarded. The access 
structure of the pure state scheme is unique. 

Proof: Given a superoperator that maps the Hilbert 
space S of the secret to density operators on H (which 
is a tensor product of the Hilbert spaces of the various 
shares), we can extend the superoperator to a unitary 
map from S to Ti^£ for some space £. We assign this ad- 
ditional Hilbert space to the extra share. In other words, 
we can "purify" the mixed state encoding by adding an 
extra share. The original mixed state scheme is produced 
by discarding the extra share. I claim that the new pure 
state encoding is a quantum secret sharing scheme. 

Sets on the original shares remain authorized or unau- 
thorized, as they were before adding £. Given a set T 
including the extra share, look at the complement of T, 
which is a set not including £ and is thus either autho- 
rized or unauthorized (in the new scheme as well as the 
old). For instance, if we purify the scheme {ABC or 
AD) by adding a fifth share E, the complement of CDE 
is unauthorized, while the complement of DE is autho- 
rized. If the complement is authorized, then we can cor- 
rect for erasures on T, and condition (|l|) holds for T — 
we can get no information about the secret from T, and T 
is unauthorized. If the complement of T is unauthorized, 
we can correct erasures on the complement. Therefore, 
we can reconstruct the state with just T, and T is autho- 
rized. Thus, the new scheme is secret sharing. 

It is clear from the argument that any other purifica- 
tion of the mixed state scheme would produce the same 
access structure. □ 

In 01 , we presented a class of quantum secret sharing 
schemes where every share had the same size as the se- 
cret. One might wonder if it is possible to do better. For 
instance, can we make one share much smaller than the 
secret, possibly at the cost of enlarging another share? 
The answer is no, provided we only consider important 
shares (unimportant shares never make a difference as to 
whether a set is authorized or unauthorized). 

Theorem 4 The dimension of each important share of a 
quantum secret sharing scheme must be at least as large 
as the dimension of the secret. 

Proof: We need only prove the result for pure state 
schemes. By theorem 0, the result for mixed state 
schemes will follow. 

Let S be an important share in a pure state quantum 
secret sharing scheme. Then there is an unauthorized set 
T such that T U {S} is authorized. Share the state |0) 



and give the shares of T to Bob and the remaining shares 
(including S) to Alice. By corollary g, Alice's shares 
form an authorized set; she can correct for erasures on 
T. By theorem |6| below, this means Alice can perform 
any operation she likes on the secret without disturbing 
Bob's shares. She can equally well perform quantum in- 
teractions between the secret and other quantum states 
held by her. In particular, if Alice has state {ip) from 
a Hilbert space of dimension s (the size of the secret), 
she can coherently swap it into her shares of the secret 
sharing scheme, which now encodes the state |'0). Then 
Alice sends just the share S to Bob. Bob now has an 
authorized set, so he can reconstruct lip). Therefore, by 
theorem ra below, share S must have had dimension at 
least s as well. □ 

The above proof depends on two theorems of interest 
outside the theory of quantum secret sharing. The first is 
obvious, and it is also true; it has not, to my knowledge, 
appeared before in the literature. 

Theorem 5 Even in the presence of preexisting entan- 
glement, sending an arbitrary state from a Hilbert space 
of dimension s requires a channel of dimension s. 

Proof: This proof is due to Michael Nielsen [Q . 

Assume that in addition to whatever entanglement is 
given, Alice and Bob share a cat state ^ \i)A\'i)B of di- 
mension s. Using a straightforward variant of supcrdcnse 
coding (l2| , Alice can encode one of s^ classical states in 
this cat state. Now Alice transmits her half of the cat 
state to Bob, using the preexisting entanglement if it 
helps. Bob can now reconstruct the classical state, so by 
the bounds on superdense coding |l3[ , Alice must have 
used a channel of dimension s. □ 

The second theorem is more interesting. It says that 
if Alice can read a piece of quantum data, she can also 
change it any way she likes, without disturbing any en- 
tanglement of the encoding with the outside. There will 
be no way to tell that the data has been changed. 

Theorem 6 Suppose a superoperator S maps a Hilbert 
space H to density operators on A® B , and S restricted 
to A (that is, traced over B) is invertible (by quantum 
operation). Then for any unitary U : H —> H, there 
exists a unitary operation V : A ^ A such that V o S = 
SoU. 

Proof: We can extend the superoperator 5 to a unitary 
operator W and enlarge B with the necessary extra di- 
mensions. If V works for W, it will also work for S. Since 
W is invertible on A, the image subspace corrects erasure 
errors on B, and 



{iP\E\^) = c{E) 



(2) 



for any operator E acting on B, where c{E) is indepen- 
dent of \ip) S W{H). Choose a basis \j)b for B. Given 
any state \'tp) in the image of W , we can write it as 



Eiv^. 



•a\])b- 



(3) 



(The states \ipj) are not necessarily orthogonal, although 
we could have made them orthogonal for any single |?A).) 
If we let E he a. projection on the basis states of B, or a 
projection on the basis states followed by a permutation 
of those basis states, (H) implies that the inner products 
(f/'ilV'j) are independent of \tp). Therefore, there is a uni- 
tary operation V acting on A that takes any set of states 
\4'j)a for 1^) € W{H) to the set of states |0j)a for any 
state 10) € W{H). In fact, V wih map jV') to |0). 

More generally, and by the same logic, given any two 
bases of W{H), there will be a unitary V on A that 
takes one to the other. Given U : H ^ H, we can define 
U as mapping a basis \vi) to basis \wi). Then define 
V : A ^ A a.s an operator that maps VF|wi) to W\wi), 
and the theorem follows. □ 

I conclude this section with an easy theorem that will 
be needed in the construction of a general access struc- 
ture. 

Theorem 7 // 5*1 and S2 are quantum secret sharing 
schemes, then the scheme formed by concatenating them 
(expanding each share of Si as the secret of S2) is also 
secret sharing. 

The reason this requires proof is that, due to some 
nonlocal quantum effect, it might have been possible to 
get more information from sets in two copies of 5*2 than 
can be accessed from just one of the sets. 

Proof: By theorem |3| we need only consider pure state 
schemes. Then the concatenated scheme S* is a pure state 
scheme too. Suppose we have some set of shares T. We 
can write it as the union IJ Ti , where Ti is a set on the ith 
copy of 82- Consider the set U of copies on which Ti is 
authorized. U is either an authorized or an unauthorized 
set of 5*1 . If it is authorized, then our big set T is certainly 
authorized — we reconstruct the copies of S2 in U, and 
use U to reconstruct the original secret. 

If U is unauthorized, we look at the complement of 
T. It can be written as a union IJT/, where T/ is the 
complement of Ti in its copy of 5*2. T/ is authorized 
whenever Ti is unauthorized. Therefore, the set of copies 
on which T/ is authorized is the complement of C/, which 
is authorized. Thus, the complement of T is authorized, 
so T is unauthorized. □ 

Clearly the proof works equally well for more com- 
plicated concatenation schemes, with multiple levels or 
with a different scheme 5*2 for each share of Si. Also 
note that if we bundle shares together (assigning two or 
more shares to the same person) , the result is still a secret 
sharing scheme. 



III. CONSTRUCTION OF A GENERAL ACCESS 
STRUCTURE 

This section will be devoted to proving that monotonic- 
ity and the no-cloning theorem provide the only restric- 
tions on the existence of quantum secret sharing schemes. 
The same result has been shown by Adam Smith [H by 
adapting a classical construction. The construction given 
here is undoubtedly far from optimal in terms of the share 
sizes of the resulting schemes. 

Theorem 8 A quantum secret sharing scheme exists for 
an access structure S iff S is monotone and satisfies the 
no-cloning theorem (i.e., the complement of an autho- 
rized set is an unauthorized set). For any maximal quan- 
tum access structure S , a pure state scheme exists. 

It will be helpful to first understand an analogous clas- 
sical construction g]. Any access structure can be writ- 
ten in a disjunctive normal form, which is the OR of a 
list of authorized sets. For our standard example, with 
authorized sets ABC and AD, the normal form is {A 
AND B AND C) OR {A AND D). This normal form 
provides a construction in terms of threshold schemes — 
the AND gate corresponds to a (2, 2) threshold scheme 
(which has one authorized set A AND B), while the OR 
gate corresponds to a (1,2) threshold scheme (for which 
A OR B is authorized). Then by concatenating the ap- 
propriate set of threshold schemes, we get a construction 
for the original access structure. 

In the quantum case, this construction fails, because 
by the no-cloning theorem, there is no ((1,2)) quantum 
threshold scheme. A single authorized set (such as A 
AND B AND C) still corresponds to a quantum thresh- 
old scheme (a ((3,3)) scheme in this case), but to take 
the OR of these authorized sets, we will have to do some- 
thing different. We will replace the ((1,2)) scheme with 
((r, 2r — 1)) schemes (which correspond to majority func- 
tions instead of OR) . r of the shares will be the individual 
authorized sets of the desired access structure, and the 
other 7' — 1 shares will be from another access structure 
that is easier to construct. 

The full construction is recursive. Given constructions 
of access structures for n — 1 shares, we will construct all 
maximal access structures for n shares. From maximal 
access structures on n shares we will be able to construct 
all access structures on n shares. We can start from the 
base case of 1 share, which just has the trivial ((1,1)) 
access structure. The construction will assume we know 
how to create threshold schemes, for instance using the 
construction in Q| . 

Given any maximal access structure S on n shares, 
consider the access structure S" obtained by discarding 
one share. Certainly S" is still monotonic and still satis- 
fies the no-cloning theorem. Therefore, by the inductive 
hypothesis, we have a construction for the access struc- 
ture S' . Now, following the proof of theorem 0, add an 
additional share to S' putting it in an overall pure state. 



By the proof of theorem || we know the resulting scheme 
is in fact a quantum secret sharing scheme. It is not hard 
to see that S is the unique access structure produced this 
way. 

For instance, the maximal access structure ABC OR 
AD OR BD OR CD can be formed by purifying the 
(mixed state) scheme with access structure ABC (just a 
((3,3)) threshold scheme). 

Now suppose we are given a general quantum access 
structure S onn shares. We describe this access structure 
by a list of its minimal authorized sets Ai,A2,...,Ar. As 
mentioned above, Ai by itself defines a quantum access 
structure — a {{k,k)) threshold scheme, in fact, if Ai 
contains k shares. 

S has a total of r minimal authorized sets. Let us take 
a ((r, 2r — 1)) quantum threshold scheme, and expand 
each of its shares using another secret sharing scheme. 
Share i, for i = 1, . . . , r, is expanded using the threshold 
scheme associated with the set Ai . Shares r + 1 through 
2r — 1 will all be expanded using another secret sharing 
scheme S". 

S" will be a pure state scheme, with a maximal access 
structure which can be achieved by adding authorized 
sets to S. That means when A is an authorized set of S 
(so it contains some Ai), it is also an authorized set of 
S'. Therefore, we can reconstruct the last r —1 shares of 
the ((r, 2r— 1)) scheme, as well as at least one of the first 
r shares, so A is an authorized set for the concatenated 
scheme. 

Conversely, if we have a set B which does not include 
any of the sets Ai, we do not have an authorized set 
for any of the schemes Ai. B might be an authorized 
set for the scheme S', but that only gives us authorized 
sets for at most r — 1 shares of the ((r, 2r — 1)) scheme. 
Therefore, B is an unauthorized set. This shows that the 
access structure of the concatenated scheme is exactly S, 
completing the construction. 

As an example, consider this construction applied to 
the access structure ABC OR AD. The three rows rep- 
resent shares of a ((2,3)) scheme, so authorized sets on 
any two rows suffice to reconstruct the secret. Repeated 
letters imply bundling, so A gets a share from each of the 
first two rows, as well as one from the third row. 



((2,3)) scheme ■ 



((3,3)) 
((2,2)) 
S' 



A, 
A, 



C 



(4) 



The first two rows are threshold schemes. S' is a maximal 
access structure containing {A,B,C} and {A,D}. For 
instance, in this case, S' could be the scheme ABC OR 
AD OR BD OR CD which we constructed earlier; or we 
could just use the trivial scheme with authorized set {A\ 
(give A the secret). 

I noted in the introduction that this particular scheme 
can be easily constructed directly from a ((5,7)) thresh- 
old scheme. However, not all access structures can be 
made by bundling together shares of a threshold scheme 



(for instance, ABCD OR ADE OR BCD cannot be so 
constructed^] — E would have to get more shares of the 
threshold scheme than B since ADE is authorized while 
ABD is not, but BCD is authorized while CDE is not), 
while the recursive construction always works. 



IV. SHARING CLASSICAL SECRETS 

We can also use quantum states to share classical se- 
crets, a process previously considered in [Q and Q. Many 
of the theorems proved above will fail in this situation. 
For instance, superdense coding |12f| provides an example 
of a (2, 2) threshold scheme where each share is a single 
qubit, but the secret is two classical bits: the four Bell 
states |00) ± |11), |01) ± |10) encode the four possible 2-bit 
numbers, and for all four states, each qubit is completely 
random. This (2, 2) scheme is a pure state scheme, yet 
does not satisfy corollary g, and the share size is smaller 
than the size of the secret. Neither is possible for a purely 
classical scheme or for a purely quantum scheme. An- 
other difference is that there is no rule against copying 
classical data, so, for instance, {k,n) threshold schemes 
are allowed, even with k < n/2. 

We can write down conditions for a pure state scheme 
of this sort to be secret sharing, along the lines of theo- 
rem m. 

Theorem 9 Suppose we have a set of orthonormal states 
\'ipi) encoding a classical secret. Then a set T is an unau- 
thorized set iff 



(V.|i^|V'^)=c(F) 



(5) 



(independent of i) for all operators F on T . T is autho- 
rized iff 

(V',|i?|V',)=0 [i^j) (6) 

for all operators E on the complement of T . 

Note that only the basis states jV^i) appear in Theo- 
rem ^, whereas in Theorem |lj, the condition had to hold 
for all |-0) in a Hilbert space. This is the source of the 
difference between classical and quantum secrets — the 
former hides just a set of orthogonal states, while the 
latter hides all superpositions of those states. 

Proof: On an unauthorized set, we should be able to 
acquire no information about which state |'0i) we have. 



^For quantum access structures, threshold schemes suffice for 
fewer than five shares, whereas for classical access structures, 
there are examples where they fail for four shares. This is 
because the four-share classical examples would violate the 
no-cloning theorem. 



This is precisely condition (||). On an authorized set, we 
need to be able to correct for the erasure of the qubits 
on the complement. This is equivalent to being able to 
distinguish the state \il)i) from the state \il)j) with an 
arbitrary operator applied to the complement of T. That 
is, it is equivalent to condition (|6|). □ 

Note that purely classical secret sharing schemes can 
be considered as a particular special case of sharing 
classical data with quantum states — every encoding 
in a purely classical scheme is just a mixture of tensor 
products of basis states. Purely classical secret sharing 
schemes are always mixed state schemes, since classically, 
there is no way to hide information without randomness. 

Supcrdcnsc coding provided an example where using 
quantum data allowed a factor of 2 improvement in space 
over any classical scheme. It turns out that this is the 
best we can do. 

Theorem 10 The dimension of each important share of 
a classical secret sharing scheme must be at least as large 
as the square root of the dimension of the secret. The 
total size of each authorized set must be at least as large 
as the secret. 

This means that a 2n-bit secret requires shares of at 
least n qubits. 

Proof: The proof is quite similar to the proof of theo- 
rem y, which gives the corresponding result for quantum 
secret sharing schemes. We create the quantum state 
corresponding to the shared secret 0. If it is a mixed 
state scheme, we include any extra qubits needed to pu- 
rify it (the result may not be a secret sharing scheme, 
however — theorem ra need not hold) . If 5 is the share 
under consideration, and T is an unauthorized set such 
that T U {S} is authorized, give T to Bob, and all the 
other shares (including S and the extra purifying qubits) 
to Ahce. 

Bob has no information about the secret; {ipi\E\i/ji) 
is independent of i. Therefore, as in the proof of theo- 
rem 0, Alice can perform, without access to Bob's qubits, 
a transformation between jf/jo) (the current state) and 
lipi) for any i. Then she sends the share S to Bob, who 
now has an authorized set, and can reconstruct i. We 
have sent a secret of dimension s using prior entangle- 
ment and the share S, which by the bounds on super- 
dense coding 1 13 1 must therefore have dimension at least 
^/s. Those bounds also show the size of the channel plus 
preexisting entanglement must be s, so the size of the full 
authorized coalition is at least s. □ 

Note that we used an analogue of theorem g in the 
proof. The general case of theorem o is clearly not true 
here: Since the data is classical, we could make two copies 
of it. Then one copy is sufficient to read it, but both are 
needed to change it without leaving a trace. In fact, the 
version of the theorem we have used is just the proof that 



perfect quantum bit commitment is impossible ||lq,nM — 
Bob has no information about the state, so Alice can 
change the state to whatever she likes. 

Besides being an interesting result about secret sharing 
schemes, this theorem is useful in analyzing other cryp- 
tographic concepts. For instance, it shows that there is 
no useful unconditionally secure cryptographic memory 
protocol, which can only be unlocked with a key, which 
we would want to be much smaller than the stored data. 
Such a protocol would be a (2,2) secret sharing scheme, 
so the theorem requires that the key be at least half the 
size of the data. 

Theorem ^ can be easily modified to show that in 
any purely classical scheme, each important share must 
be at least dimension s, not yG. This follows because if 
Alice and Bob are just sending classical states back and 
forth, they need a channel of dimension s to send the 
secret rather than dimension y^. We have already seen 
one example where this improvement is achievable using 
quantum states. 

When else can we get this factor of 2 improvement in 
the number of qubits per share? I do not have a full 
answer to this question. Certainly for a (1,?t.) threshold 
scheme, no improvement is possible, since each autho- 
rized coalition (each single share) must be as large as the 
secret. For many other threshold schemes, however, an 
improvement is possible. 

Theorem 11 ^ ik,n) threshold scheme exists sharing 
a classical secret of size s = p^ with one qupit (a p- 
dimensional quantum state) per share whenever n < 
2k — 2, p > n, and p is prime. 

Before giving the proof, I will review some basic facts 
about quantum and classical error-correcting codes which 
will be needed in the construction. A classical linear 
[n, k, d\ code encodes k bits in n bits and corrects d — 1 
erasure errors. Classical codes must satisfy the Singleton 
bound d < n — k + 1. A code C where the bound is 
met exactly is called an MDS code (for "maximum dis- 
tance separable"), and has some interesting properties. 
The dual C^ of C (composed of those words which have 
vanishing inner product with all words of C) is also an 
MDS code. When C is an [n,k,n — k + 1] code, C^ is 
an [n,n — k,k+ 1] code. The codewords of the dual code 
form the rows of the parity check matrix. By measuring 
the parities specified by the parity check matrix, we can 
detect errors — any parity which is nonzero signals an 
error. In addition, in an MDS code, there is a codeword 
with support exactly on the set T for any set T of size 
d. See, for instance, chapter 11 of ^^ for a discussion of 
MDS codes. 

Quantum codes can frequently be described in terms of 
a stabilizer Pq,E9l . The stabilizer of a code is an Abelian 
group consisting of those tensor products of Pauli ma- 
trices which fix every quantum codeword. That is, the 
codewords live in an eigenspace of all elements of the sta- 
bilizer. If the stabilizer contains 2" elements, it is gen- 
erated by just a elements, and if we have n qubits, the 



code encodes n — a qubits. We usually consider the +1 
eigenspace of the stabilizer generators, but we could in- 
stead associate an arbitrary sign to each generator. Ten- 
sor products of Pauli matrices have eigenvalues ±1, so 
each set of signs will specify a different coding subspace 
of the same size. 

Stabilizer codes can be easily generalized to work over 
higher dimensional spaces [2^]. We replace the regular 
Pauli matrices with their analogs for p-dimensional states 

^ ■ |j) '~^ b + l)i Z '■ \j) '^ '^■'|j)j and powers and 
products of X and Z (arithmetic is now modulo p, and 
Lu — exp(27ri/p)). The eigenvalues of X, Z and their 
products and tensor products are powers of w, so instead 
of associating a sign with each generator of the stabilizer, 
we should instead associate a power of uj. 

There is a standard construction, known as the CSS 
construction ||2l|,^, which takes two binary classical 
error-correcting codes and produces a quantum code. 
This construction generalizes easily to qupits. Take the 
parity check matrix of the first code Ci and replace j with 
X^ , interpreting the rows as generators of the stabilizer. 
Take the parity check matrix of the second code C2 and 
replace j with Z^ , again interpreting rows as generators 
of the stabilizer. The stabilizer must be Abelian — this 
produces a constraint on the two classical codes, namely 
that C2 C Ci. If Ci is an [n, fci, di] code and C2 is an 
[n,k2,d2] code, the corresponding CSS code will be an 
[[n, fci + fc2 — n, min{di, ^2}]] quantum code. 

Now consider the classical polynomial code D^ whose 
coordinates are (/(ai), . . . , /(««)). ai, . . . , a„ are n dis- 
tinct elements of Zp (recall that p > n), and / runs over 
polynomials of degree up to r^ There are r+1 coefficients 
to specify /, so Dr encodes r+1 pits. Given the function 
evaluated at r-|- 1 locations, we can use polynomial inter- 
polation to reconstruct the polynomial. In other words, 
even if n — (r + 1) coordinates of the code are missing, we 
can reconstruct the r + 1 coefficients specifying the poly- 
nomial. Thus, this is an [n,r + l^n — r] classical code — 
an MDS code. Also note that Dr C -Dr+i- 

The codes Dr provide good examples of purely clas- 
sical secret sharing schemes 0. If we choose the first 
r coefficients of the polynomial at random, any set of 
just r coordinates will contain no information about the 
remaining coefficient, so we get an (r + l,n) threshold 
scheme. Applying the CSS construction to the codes Dr 
and Dr-i |^,Q similarly produces good examples of 
quantum secret sharing schemes B . 

With this background, we are now ready to tackle the 
construction. 



Proof of Theorem lllp We will produce a class of secret 
sharing schemes which use one qupit for each share and 



encode two classical pits, whereas any purely classical 
scheme could only encode one pit. We will use the clas- 
sical codes Dr to create p^ related CSS quantum codes 
with certain useful properties. The secret sharing scheme 
will encode the p^ classical states as the mixture of all 
states in the corresponding code from this family. 

Lemma: The parity check matrix for the code Dr-i in- 
cludes a row R such that for any set of r+1 coordinates, 
there is a hnear combination of rows of Dr~i with sup- 
port exactly on that set of coordinates. R appears in the 
linear combination with coefRcient 1. Similarly, the dual 
code D^ has, in its parity check matrix, a row S which 
appears with coefRcient 1 in a linear combination with 
support on any given set ofn — s coordinates. 



For instance, we can take n 
Di has generator matrix 



4, r 



1, P 



G 



1111 
12 3 



(7) 



(generated by polynomials 1 and x), and D^ has gener- 
ator matrix 



G' 



2 4 13 

3 11 



(8) 



(The parity check matrix of Di is the generator matrix 
of D^ and vice-versa.) By subtracting j times the first 
row of G from the second row of G, we get a vector with 
support on the three-element set excluding coordinate j. 
Similarly, by adding some multiple of the first row of G" 
to the second row of G', we can get a vector with support 
on any three coordinates. 

Proof of Lemma: The codes Dr and D^ are linear, 
so we only need prove the coefficients of rows R and S 
are nonzero — then some rescaling will always give the 
result with coefficient 1. 

Since Dr is an MDS code of distance n — r, its dual is 
an MDS code of distance r + 2. Thus, the parity check 
matrix of Dr (which is also the generator matrix of -D^) 
has a linear combination of rows with support on any set 
of r + 2 coordinates, but no linear combination of rows 
has weight r+1 or less. Since Dr-i is included in Dr, but 
encodes one fewer pit, the parity check matrix of Dr^i is 
just the parity check matrix of Dr with one row R added. 
That parity check matrix has a linear combination of 
rows with support on any set of r -I- 1 coordinates. Since 
no linear combination of rows of D:^ has weight r+1, each 
of the weight r + 1 linear combinations must include a 
component of row R. A similar argument gives the result 
for D:^. D 



For an appropriate choice of the a^s, Dr is a Reed-Solomon 
code or an extended Reed-Solomon code. 



Now suppose we create the CSS code corresponding to 
the two classical codes Dr~i and D^. We require that 
s — n — r — 1, 2r > n. Then s < r, so Ds C Dr-i, and 



we have a quantum code. We are given two classical pits 
a and b to share among n parties. Assign a phase w" to 
the generator R corresponding to row R of Dr-i and a 
phase uj^ to the generator S corresponding to row S of 
D^. All the other generators have phase +1. Create the 
density matrix formed by a uniform mixture over states 
in the subspace specified by this stabilizer. There are p^ 
of these mixed states. 

Claim: The set of mixed states described above define 
a (fc, n) tlireshold scheme encoding 2 classical pits, with 
k = r + l = n — s. 



For instance, in the case n 
we get the stabilizers 



4, r = 2, s = 1, p = 5, 



X^ X* X X^ 

uj" X^ I X X 

Z Z Z Z 

Lu'' I Z Z^ Z^ 



(9) 



with cj = exp(27rj/5). The claim is that this gives a (3, 4) 
secret sharing scheme. 

I now proceed to establish the claim, which will prove 
Theorem |ll|. 

For any set T of fc coordinates, there will be an el- 
ement MR of the stabilizer with support on that set of 
coordinates, where M contains no factors of R or S. This 
follows from the lemma: There is a linear combination 
A/ + i? of rows of the parity check matrix of 13^-1 with 
support on T. This linear combination translates to an 
element of the stabilizer — the rows of the parity check 
matrix become generators of the stabilizer, addition of 
two rows becomes multiplication of the corresponding 
generators, and scalar multiplication of a row becomes 
taking the corresponding generator to the appropriate 
power. 

Since MR has support on T, we can measure its eigen- 
value with access only to T . M is a product of generators 
which are not R or S", so the state has eigenvalue -1-1 for 
M, and it has eigenvalue w° for MR. Thus, the eigen- 
value of MR tells us a. Similarly, there is an element XS 
of the stabilizer with support on T, with N having no fac- 
tors of R or S. We can measure the eigenvalue of 7V5, 
and it tells us h. Thus, any set of at least k coordinates 
is an authorized set. 

A particular value of the secret is encoded as a uniform 
distribution over states in the stabilizer code described 
above. Thus, the density matrix corresponding to the 
secret is the projection on the subspace which is left fixed 
by the stabilizer. That is. 



i 



Mf-^) 



(10) 
(11) 



(normalized appropriately). The Mi are the generators 
of the stabilizer S. Assume the appropriate phase is in- 
cluded in M in this sum (this means that if we wish M 



to have eigenvalue w, we include it as uj~^M , which has 
eigenvalue -1-1). 

Suppose T is a set of fc — 1 or fewer coordinates. The 
density matrix of T is the trace of p{ah) over the com- 
plement of T . Now, X , Z, and all nontrivial products of 
X and Z have trace 0. Thus, the only terms in the ex- 
pression for p{ab) which contribute to the trace are those 
coming from M with weight < fc— 1. But the parity check 
matrices for D^^i and D-^ contain no rows or linear com- 
bination of rows of weight less than fc. Thus, the density 
matrix of T is just the identity, regardless of the value of 
ab. Thus, T is unauthorized, proving the theorem. □ 
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